Windows 2000 VPN and Software based EAP certificates
Alastair
Because our VPN server sits behing a firewall that uses NAT, the vpn IPSEC
protocol would not work.
I have set up a Windows 2000 VPN server utilising EAP as the authentication
protocol. I have also set up the relevant CA in our domain. I realise
that EAP is intended for Smart card storage of certificates etc, however it
does appear to work with software based certificates.
Does anyone have any experience of this kind of infrastructure. Is there
anyway for Microsoft issued certificates to request a 'Challenge Password' ?
It would seem that once you have configured the VPN client to use EAP
software based certificates and have a valid certificate installed - that is
all you need. It would be great if the system prompted for user name +
password credentials as well.
Thanks in advance.
Alastair
Hardcore Consultant
Remember that the username/password credentials have already been
provided by way of you having logged into the domain account. That is
the user-level authentication necessary to be able to access the
private key that will be used along with your certificate as part of
the IKE phase of connection.
In the "Certificate Types" step of the MMC certificate request wizard,
if you check "Advanced" there, you can also mark the certificate as
needing "strong key protection" (meaning you will be prompted and have
to allow/deny access to any code attempting to access the keystore).
And finally, I'm pretty sure that there is a way to provide a password
for a keystore. It's hard for me to say that it provides no added
benefit, since it provides another layer of authentication (albeit,
unintegrated with the rest of the system). Maybe someone more
knowledgable can chime in here...
But if a hacker has already authenticated with the domain, he can just
walk in to the building and sit down at a workstation... ;)
"Alastair" <sp...@trap.com> wrote in message news:<OKP6ZOOgCHA.1656@tkmsftngp11>...